Unless you spent your childhood with actuarial tables as a best friend, you probably don't like the word "audit." It conjures notions of paperwork and checklists and deadlines, and just a general swirl of annoying action items. What's even worse, is that it suggests the idea that someone suspects you did something wrong, and they're going to watch over you until you can prove you can do it right. It's like an adult version of after-school detention.
For companies that operate in the cloud, audits are used to ensure that companies adhere to rules and commonly accepted best practices. We use cloud security compliance standards to define what these practices are, how enterprises can function with them, and how they can provide a roadmap for better business operations. Standards like NIST 800-53 and NIST 800-171 are required for organizations to do business with the federal government. HIPAA sets the framework for working with privileged and personal health data, and PCI compliance is demanded for organizations doing digital payments. Comply and you can operate at the pleasure of standards organizations. Be out of compliance and your "license" to operate is revoked.
Ideally, an enterprise complies with the requirements of the standards they need/want to adhere to, and then their business functions more securely, more efficiently, and the governing bodies give their everlasting blessing. It would be nice if it were that simple, but that's never how compliance works. New servers are inserted into the IT environment, application updates are deployed, unrelated specs are mandated on top of other specs. With each change to your cloud and its component pieces, your enterprise risks missing something that will likely take it out of compliance. There are hundreds of lines of controls in the NIST 800-53 compliance spreadsheet, and each of those controls has a set of corresponding instructions. If just one of those conditions is not met properly, you're unfortunately out of compliance.
This is clearly a lot to manage, especially when your business needs to remain compliant in the midst of constant business and technology change. To add to your burden, you have to deal with audits that check to see if you’re compliant now, if your processes are optimized to meet compliance standards, and if you've been out of compliance and what, if any, repercussions might have come from that. I've met many auditors, and while generally a pleasant group, they can strike fear into an organization that doesn't fully know what's going on in their cloud infrastructure.
When audited, you will be required to furnish comprehensive reports that detail your compliance and security adherence. Ultimately, the auditor is acting in the interests of the data and the owners of that data. They want to see if that data, or the assets that touch it, have been compromised. There are a lot of records you’ll have to compile and analyze in order to deliver what the auditors request. A Plan of Action and Milestone Template (POAM) will be created which will guide you, under the direction of the auditors, back to a state of compliance.
The idea of manually maintaining a compliant state for your cloud, and being able to keep detailed reports of it over time is a massive undertaking. Beyond just the sheer amount of work it would take to constantly check all the layers of your cloud stack and compare them with compliance controls, there's also the opportunity cost. Managing compliance distracts a highly skilled part of your IT team from performing more business-critical functions.
Two things need to happen if you truly want to be in control of compliance management and be prepared for audits:
Some solutions will deploy agents within your infrastructure - avoid that because it will just give you more to manage. An agent-less, cloud-native solution will work continuously on your behalf and according to the requirements of compliance standards when your data is in AWS, Azure, or any public cloud. You can then use your time more effectively in creating remediation processes that can also be triggered with a cloud-based monitoring and risk assessment solution.
Audits are necessary and actually help you improve your brand value. When validated to operate under specific standards, they open new business potential for your enterprise and increases your potential audience. The actual work of being audited, however, is a pain in the neck unless you've used a cloud monitoring solution that helps you avoid compliance issues and track all your compliance and security activity. When you've done that, your audits still won't be fun, but they'll be a lot less painless and your organization will avoid unnecessary interruption.
Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level. After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio